Symantec United States
global sites
products and services
purchase
support
security response
downloads
about symantec
search
feedback


© 1995-2007 Symantec Corporation.
All rights reserved.
Legal Notices
Privacy Policy

security updates

Information on Back Orifice and NetBus

The following document provides a detailed technical explanation of the Back Orifice tool. There is another existing tool called NetBus which has capabilities similar to Back Orifice. The currently available definitions of Norton AntiVirus detect both Back Orifice and NetBus. To download these definitions, please go here.

Back Orifice Overview
Back Orifice is a tool consisting of two main pieces, a client application and a server application. The client application, running on one machine, can be used to monitor and control a second machine running the server application. The operations that the client application can perform on the target machine (e.g., the machine running the server application) include the following:

  • Execute any application on the target machine.
  • Log keystrokes from the target machine.
  • Restart the target machine.
  • Lockup the target machine.
  • View the contents of any file on the target machine.
  • Transfer files to and from the target machine.
  • Display the screen saver password of the current user of the target machine. The creators of Back Orifice also claim to be able to display "cached passwords" for the current user, but no other passwords were displayed during our analysis.

Technical Details

Server application installation
In order for Back Orifice to work, the server application must be installed on the target machine. This involves executing the server application on the target machine. The server application is a single executable file with a size just over 122 kilobytes. The application creates a copy of itself in the Windows system directory and adds a value containing its filename to the Windows registry under the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices

The specific registry value which points to the server application is configurable (see section below on configuration). By doing so, the server application always starts whenever Windows starts, and thus is always active. The application will not appear in the Windows task list.

Target machine requirements
The target machine must be running either Windows 95 or Windows 98. The server application will not run on Windows NT. The target machine must have TCP/IP network capabilities.

Communication
The client application communicates with the server application using TCP with encrypted UDP packets.

Configuration of the server application
The server application can be configured with the following parameters:

  • Its installed filename
  • The communication port
  • The name of the value it will add to the registry
  • A password for encrypting the client/server packets used for communication
  • A custom plugin DLL to run with the server application

Default configuration
By default, if the server application has not been otherwise configured, the installed filename is ".exe" (e.g., that's a space followed by ".exe"), the communication port is 31337, the registry value name is empty (e.g., the default registry value entry is used), and no password is used (although the communication is still encrypted).

Is Back Orifice a Threat?
Potentially, the tool can be used by an unscrupulous user (e.g., the attacker) to compromise the security of a computer running Windows 95 or Windows 98, for example, to steal secret documents, destroy data, etc. However, the following are obstacles limiting the threat:

  • The server application must be installed on the target machine. This requires the user of the machine to either deliberately install this application or be tricked into doing so.
  • The attacker must know the IP address of the target machine. Although, the attacker can use the client application to perform a search through a range of IP addresses, this is infeasible if the attacker can not narrow the range to a small subset because there are four billion possible IP addresses.
  • A firewall between the target machine and the attacker virtually makes it impossible for the attacker to communicate with the target machine. Most corporations have firewalls in place.
  • By following safe computing practices, for example, not downloading or running applications from unknown sources, users can protect themselves from the potential threat.